The 2020 URL Querystring Data Leaks — Millions of User Emails Leaking from Popular Websites to Advertising & Analytics Companies

Breaches have been found on websites including Wish.com, JetBlue.com, Quibi.com, WashingtonPost.com, NGPVan.com and numerous other organizations…

Numerous Enterprise Organizations Leaking User Emails Through 3rd Party Javascript Request Headers Sent via Browsers to 3rd Party Advertising & Analytics Companies

Each of these orgs leaked user emails by unsafely appending the user email to a URL in plain text (or encoded in base64) and then having the user emails leak to 3rd party advertising and analytics companies.

3rd Party Javascript Collects a “Referrer” URL Field, Which Can Leak User Data and Email Addresses from a Website

Quibi Leaking New User Emails on Email Confirmation Webpage to Advertising and Analytics Companies

The Biggest Breach: Wish.com Likely Leaked Hundreds of Millions of User Emails for Over a Year, With the User Emails Encoded into Base64 Strings

A URLScan.io capture of a Wish.com page view from July 23, 2018 that captured a user’s “ee” parameter and their email encoded in base64 plain text. The ee string is blurred for privacy due to it containing the user email.

Confirmation from Eliya Stein at Confliant.com, Including Flagging Several New Organizations Receiving Data from Wish.com

JetBlue.com Still Leaking New User Emails to Advertising and Analytics Partners

The Bezos-Schmidt-Funded KongHQ.com (Formerly Known as Mashape) Using Common 2-Step Form That Leaks on the 2nd Step

Democratic Data Broker NGPVAn.com / EveryAction.com (& Their Clients) have been Pushing User Emails into Google Analytics & Other Systems for Years

Growing Child, Popular Magazine for Parents, Leaking Emails on Unsubscribe Page to Google Analytics, Google’s DoubleClick, only Google Pixels Receiving Data

MailChimp’s Mandrill Legacy Email Redirect via their API Can Leak Mandril-Client-User Emails to Advertising and Analytics Companies

If you visit “list-manage.com” you’ll be redirected to a Mailchimp error/details page

Washington Post Leaks Some User Emails in Base64 to Service Providers, Appears Not to Send Data to Any External Advertising Companies

Facebook Manipulates URL Query Parameters (for Filtering), But Still has System That Can be Broken to Leak Emails to 3rd Party Advertising and Analytics Companies

What’s Next? What Questions are Important?

Founded/Co-founded 6 companies (🎞,☎️,🔌,📊,👨‍🏫,🐔), digital team for Obama 08’ + numerous other campaigns, motto = Research. Build. Test. Repeat. // whitehat

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store